(base) root@lnpg \~# mkdir -p /db/user_audit
(base) root@lnpg \~# touch /db/user_audit/user_audit.log
(base) root@lnpg \~# chown nobody:nobody /db/user_audit/user_audit.log
(base) root@lnpg \~# chmod 002 /db/user_audit/user_audit.log
(base) root@lnpg \~# chattr +a /db/user_audit/user_audit.log
(base) root@lnpg \~# vi /etc/profile
/etc/profile
export HISTORY_FILE=/db/user_audit/user_audit.log
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >> $HISTORY_FILE'(base) root@lnpg \~# source /etc/profile
新开窗口做操作,可以看到实时的记录到用户的操作
(base) root@lnpg \~# tail -f /db/user_audit/user_audit.log
2025-10-20 11:57:07 ##### root pts/2 (10.168.20.66) #### uid=0(root) #### source /etc/profile
2025-10-20 11:57:33 ##### root pts/4 (10.168.20.66) #### uid=0(root) #### history|head
2025-10-20 11:57:42 ##### root pts/4 (10.168.20.66) #### uid=0(root) #### pwd
2025-10-20 11:57:49 ##### root pts/4 (10.168.20.66) #### uid=0(root) #### ls
2025-10-20 11:57:58 ##### root pts/4 (10.168.20.66) #### uid=54323(dmdba) #### exit
2025-10-20 11:58:05 ##### root pts/4 (10.168.20.66) #### uid=54323(dmdba) #### free -h
将文件名按日志保存写入:
export CURRENT_DATE=$(date "+%Y-%m-%d")
export HISTORY_FILE=/db/user_audit/user_audit_${CURRENT_DATE}.log
export PROMPT_COMMAND='{ date "+%Y-%m-%d %T ##### $(who am i |awk "{print \$1\" \"\$2\" \"\$5}") #### $(id|awk "{print \$1}") #### $(history 1 | { read x cmd; echo "$cmd"; })"; } >> $HISTORY_FILE'
=========================
(base) [root@lnpg ~]# chmod -R 777 /db/user_audit/
chmod: changing permissions of '/db/user_audit/user_audit.log': Operation not permitted
(base) [root@lnpg ~]# ll /db/user_audit/*
-rwxrwxrwx 1 root root 294 Oct 20 13:32 /db/user_audit/user_audit_2025-10-20.log
--------w- 1 nobody nobody 2347 Oct 20 13:31 /db/user_audit/user_audit.log
(base) [root@lnpg ~]# chown -R nobody:nobody /db/user_audit/
chown: changing ownership of '/db/user_audit/user_audit.log': Operation not permitted